Revision as of 12:53, 2 November 2009

Main

The project was initially inspired by the input validation framework Heimdall [1],
where the main goal is to provide a clear separation between
validation and application logic.
This separation was achieved by using an XML configuration file
defining which tests were to be run on which object properties.

The first step of our project consisted in checking whether
the need for an XML external file could be eliminated by using annotations
to associate tests and object properties, instead.

After a new input validation framework based on annotations was succesfully implemented,
the focus of the project shifted to investigate how far annotations can be pushed
for validation purpouses, while keeping their use as intuitive and simple as possible.

At the moment we defined and implemented:

composed annotations: which allow the user to compose existing annotations in a boolean fashion to create new tests without the need of writing new code.

cross annotations: which allow the user to define tests on multiple object properties, rather than just single ones, which have inter-dependent validation constraints.

Other main features that characterize the framework are:

Easy integration in any esisting Java projects

High reusability of existing validation tests

Possibility of creating new custom annotations with little effort

A slide presentation is available here PDF
while a full technical report can be downloaded here PDF

The final goal of the project is to create a framework for input validation based on annotations, which is easy to use and will
help integrate this aspect of security into both new and existing applications.

Th current goals are:

Continuously improving the framework with frequent releases

Extend the library of predefined annotations

Create an Eclipse plug-in to simplify the creation of custom annotations and help their insertion in the application code

Investigate further uses of annotations for input validation

Improve both the documentation

Implement a better summary for the validation results, that can contain custom error messages and that is easy to query by the user

Project Identification

PROJECT INFOWhat does this OWASP project offer you?

RELEASE(S) INFOWhat does this OWASP project release offer you?

what

is this project?

OWASP Content Validation using Java Annotations Project

Purpose: We wish to explore the use of Java annotations for object validation, specifically for content validation. The result will be a framework which should be easy to use with an existing application. The existing approaches are either part of a large framework (e.g. JSR-303), which makes certain assumptions about the application, or restrict the developer in extending and/or customizing the validation framework.
We have an initial implementation of a flexible framework which can be deployed with any Java application. We have also submitted a paper on our approach to an international security conference to be held later this year.

Project Details

PROJECT INFOWhat does this OWASP project offer you?

RELEASE(S) INFOWhat does this OWASP project release offer you?

what

is this project?

OWASP Content Validation using Java Annotations Project

Purpose: We wish to explore the use of Java annotations for object validation, specifically for content validation. The result will be a framework which should be easy to use with an existing application. The existing approaches are either part of a large framework (e.g. JSR-303), which makes certain assumptions about the application, or restrict the developer in extending and/or customizing the validation framework. We have an initial implementation of a flexible framework which can be deployed with any Java application. We have also submitted a paper on our approach to an international security conference to be held later this year.